One of the most challenging problems in managing large networks results from the sheer complexity of security administration, making authorization an important issue in computer and network systems. In this regard, authorization mechanisms exist in operating systems, applications, or anywhere resource access control is concerned. Authorization is traditionally composed of two separate processes: authentication and access control. Authentication deals with the problem “who is the user?” and access control deals with the problem “what can the user do to/with a certain resource?”
At the resource level, historically, networks have used resource authorization policy (RAP) to decide whether a user is authorized to connect to a specified resource. For an exemplary RAP, traditional distributed computing networks have used domain based access control lists (ACL) as the dominant mechanism for access control. An ACL specifies access rights of users to the resources in terms of read, write or execute permissions in data structures, but inevitably brings manageability and complexity problems as the number of resources and users continue to proliferate to great numbers in today's shared computing spaces.
In contrast to conventional RAP methods of access control, which grant or revoke user access on a rigid, object-by-object basis, an alternative to RAP is role based access control (RBAC) policy, also called role based security. RBAC has become a prominent model for access control because it reduces the complexity and cost of security administration in large networked applications. RBAC is a method of regulating access to computer or network resources based on the roles of individual users within an enterprise. In this context, access is the ability of an individual user to perform a specific task, such as view, create, or modify a file. Roles are defined according to existing roles/labels within the enterprise, e.g., job competency, authority or responsibility.
When properly implemented, RBAC enables users to carry out a wide range of authorized tasks by dynamically regulating their actions according to flexible functions, relationships, and constraints. In RBAC, roles can be easily created, changed, or discontinued as the needs of the enterprise evolve, without having to individually update the privileges for every user.
RBAC thus enables activities that are difficult in distributed access control list (ACL) models on most computer systems. Such activities include authorization queries across applications. However, currently there is no way to translate role-based authoring models for managing RBAC “roles” to resource authorization policy (RAP), such as ACL-based applications, or other authorization enforcement mechanisms. As described in more detail below with respect to the various embodiments of the invention, it would be desirable to improve upon these and other deficiencies of the state of the art.